Fix GH-16959: snmpget modifies the object_id (as array).

devnexen · devnexen · commit d572b1bfc424 · 2024-11-27T19:12:24.000Z
Instead of modifying the zval, we use the zend_try_get_string.
diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
@@ -676,8 +676,12 @@ static bool php_snmp_parse_oid(
 		objid_query->vars = (snmpobjarg *)safe_emalloc(sizeof(snmpobjarg), zend_hash_num_elements(oid_ht), 0);
 		objid_query->array_output = (st & SNMP_CMD_SET) == 0;
 		ZEND_HASH_FOREACH_VAL(oid_ht, tmp_oid) {
-			convert_to_string(tmp_oid);
-			objid_query->vars[objid_query->count].oid = Z_STRVAL_P(tmp_oid);
+			zend_string *tmp = zval_try_get_string(tmp_oid);
+			if (!tmp) {
+				continue;
+			}
+			objid_query->vars[objid_query->count].oid = ZSTR_VAL(tmp);
+			zend_string_release(tmp);
 			if (st & SNMP_CMD_SET) {
 				if (type_str) {
 					pptr = ZSTR_VAL(type_str);
diff --git a/ext/snmp/tests/gh16959.phpt b/ext/snmp/tests/gh16959.phpt
@@ -0,0 +1,44 @@
+--TEST--
+snmpget() modifies object_id array source
+--EXTENSIONS--
+snmp
+--SKIPIF--
+<?php
+require_once(__DIR__.'/skipif.inc');
+?>
+--FILE--
+<?php
+require_once(__DIR__.'/snmp_include.inc');
+
+$bad_object_ids = array (
+077 => 077, -066 => -066, -0345 => -0345, 0 => 0
+);
+var_dump($bad_object_ids);
+var_dump(snmpget($hostname, "", $bad_object_ids) === false);
+// The array should remain unmodified
+var_dump($bad_object_ids);
+?>
+--EXPECTF--
+array(4) {
+  [63]=>
+  int(63)
+  [-54]=>
+  int(-54)
+  [-229]=>
+  int(-229)
+  [0]=>
+  int(0)
+}
+
+Warning: snmpget(): Invalid object identifier: -229 in %s on line %d
+bool(true)
+array(4) {
+  [63]=>
+  int(63)
+  [-54]=>
+  int(-54)
+  [-229]=>
+  int(-229)
+  [0]=>
+  int(0)
+}
